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Abstract.  To  resist  Binary  Decision  Diagrams  (BDD)  based  attacks,  a 
Boolean  function  should  have  a  high  BDD  size.  The  hidden  weighted  bit  func¬ 
tion  (HWBF),  introduced  by  Bryant  in  1991,  seems  to  be  the  simplest  function 
with  exponential  BDD  size.  In  [28],  Wang  et  al.  investigated  the  cryptographic 
properties  of  the  HWBF  and  found  that  it  is  a  very  good  candidate  for  being 
used  in  real  ciphers.  In  this  paper,  we  modify  the  HWBF  and  construct  two 
classes  of  functions  with  very  good  cryptographic  properties  (better  than  the 
HWBF).  The  new  functions  are  balanced,  with  almost  optimum  algebraic  de¬ 
gree  and  satisfy  the  strict  avalanche  criterion.  Their  nonlinearity  is  higher  than 
that  of  the  HWBF.  We  investigate  their  algebraic  immunity,  BDD  size  and  their 
resistance  against  fast  algebraic  attacks,  which  seem  to  be  better  than  those  of 
the  HWBF  too.  The  new  functions  are  simple,  can  be  implemented  efficiently, 
have  high  BDD  sizes  and  rather  good  cryptographic  properties.  Therefore, 
they  might  be  excellent  candidates  for  constructions  of  real-life  ciphers. 

1.  Introduction 

To  resist  the  main  known  attacks,  Boolean  functions  used  in  real  ciphers  should 
be  balanced,  with  high  algebraic  degree,  with  high  algebraic  immunity,  with  high 
nonlinearity  and  with  good  immunity  to  fast  algebraic  attacks.  It  would  be  better 
if  the  function  is  non-normal  and  satisfies  the  strict  avalanche  criterion.  Up  to 
now,  many  classes  of  Boolean  functions  with  high  algebraic  immunity  have  been 
introduced  [4,  5,  6,  10,  11,  15,  16,  22,  23,  25,  26,  27,  30,  31,  32,  34].  However, 
none  of  them  can  gather  all  the  necessary  criteria  and  be  implemented  efficiently. 
Moreover,  none  of  them  took  BDD-based  attacks  into  consideration. 

To  resist  BDD-based  attacks,  which  were  first  introduced  by  Krause  in  2002  [14], 
a  Boolean  function  should  have  a  high  BDD  size.  It  is  known  that  an  n  variable 
symmetric  Boolean  function  has  a  BDD  size  0{n2)  [13],  and  therefore  it  is  weak 
against  BDD-based  attacks.  The  hidden  weighted  bit  function  (HWBF),  proposed 
by  Bryant  [1],  looks  like  a  symmetric  function,  but  in  fact,  it  has  an  exponential 
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BDD  size  and  its  VLSI  implementation  has  low  area-time  complexity  [1].  In  [13], 
Knuth  reproved  Bryant’s  theorem  stating  that  the  HWBF  has  a  large  BDD  size, 
regardless  of  how  one  reorders  its  variables.  Therefore,  the  HWBF  can  resist  BDD- 
based  attacks  and  could  be  implemented  efficiently. 

In  [28],  Wang  et  al.  investigated  the  cryptographic  properties  of  the  HWBF 
and  found  that  it  has  overall  very  good  cryptographic  properties:  balancedness, 
optimum  algebraic  degree,  strict  avalanche  criterion,  good  algebraic  immunity,  good 
nonlinearity  and  good  behavior  against  fast  algebraic  attacks.  Since  the  HWBF  has 
a  high  BDD  size  and  can  be  implemented  very  efficiently,  it  is  a  potential  candidate 
for  the  stream  cipher  construction. 

In  this  paper,  we  modify  the  HWBF  and  construct  two  classes  of  functions  with 
very  good  cryptographic  properties  (better  than  those  of  the  HWBF).  The  new 
functions  are  balanced,  with  almost  optimum  algebraic  degree  and  satisfying  the 
strict  avalanche  criterion.  Their  nonlinearity  is  higher  than  that  of  the  HWBF. 
We  investigate  their  algebraic  immunity,  BDD  size  and  their  resistance  against  fast 
algebraic  attacks,  which  seem  to  be  better  than  those  of  the  HWBF  too.  The  new 
functions  are  simple,  can  be  implemented  efficiently,  have  high  BDD  sizes  and  rather 
good  cryptographic  properties.  Therefore,  they  might  be  excellent  candidates  for 
stream  ciphers  constructions. 

The  paper  is  organized  as  follows.  In  Section  2,  the  necessary  background  is 
established.  We  introduce  a  concatenation  of  two  hidden  weighted  bit  functions  in 
Section  3.  In  Section  4,  we  give  the  other  concatenation  of  four  functions.  We  end 
in  Section  5  with  conclusions. 


2.  Preliminaries 

Let  F£  be  the  ro-dimensional  vector  space  over  the  finite  field  F2.  We  let  Bn  be 
the  set  of  all  n- variable  Boolean  functions  from  F£  into  F2. 

Any  Boolean  function  /  £  Bn  can  be  uniquely  represented  as  a  multivariate 
polynomial  in  F2[xi,  . . .  ,xn],  called  the  algebraic  normal  form  (ANF) 

f(x i,...,xn)=  ^2  II  II' 

KC{l,2,...,n}  k£K 

The  algebraic  degree  of  /  is  the  number  of  variables  in  the  highest  order  term  with 
nonzero  coefficient  and  is  denoted  by  deg (/). 

A  Boolean  function  is  affine  if  there  are  no  term  of  degree  strictly  greater  than  1 
in  the  ANF.  The  set  of  all  affine  functions  is  denoted  by  An. 

Let 

!/  =  {*€  FJ| f(x)  =  1},  0 f  =  {x€  F£|  f{x)  =  0}, 

be  the  support  of  a  Boolean  function  /,  and  its  complement  function  /  +  1,  respec¬ 
tively.  The  cardinality  of  1/  is  called  the  Hamming  weight  of  /,  and  will  be  denoted 
by  wt(f).  The  Hamming  distance  between  two  functions  /  and  g  is  the  Hamming 
weight  of  f  +  g,  and  will  be  denoted  by  d(f,g).  We  say  that  an  n- variable  Boolean 
function  /  is  balanced  if  wt(f)  =  2"  . 

Let  /  £  Bn.  The  nonlinearity  of  /  is  the  distance  from  the  set  of  all  n- variable 
affine  functions,  that  is, 

nl(f)  =  min  d(f,g). 
g 

The  nonlinearity  of  an  n- variable  Boolean  function  is  bounded  above  by  2n~1  — 
2"/2-1,  and  a  function  is  said  to  be  bent  if  it  achieves  this  bound.  Clearly,  bent 
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functions  exist  only  for  even  n  and  it  is  known  that  the  algebraic  degree  of  a  bent 
function  is  bounded  above  by  ^  [2,  9,  24].  The  r -order  nonlinearity ,  denoted  by 
is  the  distance  from  the  set  of  all  n-variable  functions  of  algebraic  degrees 
at  most  r. 

For  any  /  £  Bn:  a  nonzero  function  g  £  Bn  is  called  an  annihilator  of  /  if  fg 
(the  function  defined  by  fg{x)  =  f(x)g(x))  is  null,  and  the  algebraic  immunity 
of  /,  denoted  by  AZ(f),  is  the  minimum  value  of  d  such  that  /  or  /  +  1  admits  an 
annihilator  of  degree  d  [19].  It  is  known  that  the  algebraic  immunity  of  an  n- variable 
Boolean  function  is  bounded  above  by  [8]. 

To  resist  algebraic  attacks,  a  Boolean  function  /  should  have  a  high  algebraic  im¬ 
munity,  which  implies  that  the  nonlinearity  of  /  is  also  not  very  low  since,  according 
to  Lobanov’s  bound  [17] 


To  resist  fast  algebraic  attacks,  a  high  algebraic  immunity  is  not  sufficient.  If  we 
can  find  g  of  low  degree  and  h  of  algebraic  degree  not  much  larger  than  n/ 2  such 
that  fg  =  h ,  then  /  is  considered  to  be  weak  against  fast  algebraic  attacks  [7,  12]. 
The  higher  order  nonlinearities  of  a  function  with  high  (fast)  algebraic  immunity  is 
also  not  very  low  [2,  18,  21,  29]. 

The  Walsh  transform  of  a  given  function  f  £  Bn  is  the  integer-valued  function 
over  Fj  defined  by 

Wf{w)  =  ]T  (—!)/(*)+-, 

where  ui  £  and  to  ■  x  is  an  inner  product,  for  instance,  u>  ■  x  =  u \X\  +  0122:3  + 
•  •  •  +  ujnxn.  It  is  easy  to  see  that  a  Boolean  function  /  is  balanced  if  and  only  if 
Wf( 0)  =  0.  Moreover,  the  nonlinearity  of  /  can  be  determined  by 

nl{f)  =  2n~1  -  *  max \Wf{w)\. 

Z 

The  autocorrelation  function  of  f  £  Bn  is  defined  by 

Cf(a)  =  (-l)/(x)+/(x+a). 

XEF2 

Also,  /  satisfies  the  strict  avalanche  criterion  if  Cf(a)  =  0,  for  wt(a)  =  1  [33]. 

A  truth  table  of  order  n  is  a  binary  string  of  length  2n.  A  bead  of  order  n  is  a 
truth  table  /3  of  order  n  that  does  not  have  the  form  aa  for  any  string  a  of  length 
2n~1.  The  beads  of  a  Boolean  function  are  the  subtables  of  its  truth  table  that 
happens  to  be  beads.  The  BDD  size  of  a  Boolean  function  /,  denoted  by  B(f),  is 
the  number  of  beads  that  /  has.  To  resist  BDD-based  attacks,  a  Boolean  function 
should  have  a  large  BDD  size,  regardless  of  how  one  reorders  its  variables. 

3.  Concatenation  of  two  functions 

Let  a,  b  be  integers.  Define  “EE”  as  follows: 

amb={  n  if  n\(a  +  b), 

\  a  +  b  (mod  n)  otherwise. 

Lemma  3.1.  Ifl  <d<n  and  (n,  d)  =  1,  then  the  set  {lEB(fc*d)  |  k  =  1,  2, . . . ,  n}  = 
{1,2,...,  n}. 
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Proof.  Let  G  =  {1,2,  ...,n}.  Clearly,  (G,  EH)  is  a  cyclic  group  of  order  n  with  1  as  a 
generator.  Since  (n,  d)  =  l,d*l  =  lEE31EEI---EEIl  =  dis  also  a  generator,  and  the 
result  follows.  □ 


Let  h  £  Bn  be  the  hidden  weighted  bit  function.  That  is, 

hix)  =  {  °  x  =  0, 

'  '  {  xwt(x)  otherwise. 

It  is  known  that  h  is  balanced,  with  the  optimum  algebraic  degree  and  satisfying 
the  strict  avalanche  criterion  [28]. 

Let  h(x xn)  =  h(S  |_nj(a;))  =  h(x^  J+i, . . . ,  xy*  j),  where 

1  (*)  =  J>  •  •  •  >XnfflLfj)’ 

Let  1 1  denote  the  concatenation.  We  consider  the  function  hx  £  Bn+ x  as  a  concate¬ 
nation  of  two  functions: 

(1)  hi(x i, . . .  ,xn+i)  =  h(x i, . .  .,xn)\\h{xi, . .  .,xn). 

In  fact,  we  can  construct  a  family  of  functions  in  the  form  of  h(x)\ \h(Si(x)),  where 
1  <  i  <  n—1.  These  functions  possess  the  similar  cryptographic  properties,  and  the 
function  has  the  best  nonlinearity  when  i  =  For  that  reason,  we  only  consider 
h(x)\ (x))  here.  Moreover,  if  we  take  h(x)  to  be  any  balanced  function  with 
optimum  algebraic  degree  and  some  other  good  cryptographic  properties,  then  some 
of  the  following  theorems  (e.g.  Theorem  3.2)  still  hold.  In  particular,  we  can  take 
h(x)  to  be  the  Carlet-Feng  function.  One  can  certainly  ask  about  the  cryptographic 
properties  of  h(x)\ \h(Si(x)),  for  other  functions  h ,  and  we  leave  this  as  an  open 
problem. 


Theorem  3.2.  The  function  h\  £  Bn+ \  ( n  >  3)  defined  by  (1)  is  balanced  and 


deg(/ii) 


n  if  n=  1,2,3  (mod  4), 

>  n  —  1  if  n  =  0  (mod  4). 


Proof.  Since  h  is  balanced,  then  the  concatenation  of  two  balanced  functions  is  also 
a  balanced  function.  Hence  the  first  claim  is  proven. 

Clearly,  hi(xx, . .  -,xn+1)  =  xn+1(h(xlt  ...,xn)  +  h(x  i, . . .  ,xn))  +  h(x  i, . .  .,xn). 
Therefore,  deg  (hi)  >  n  —  1.  We  now  prove  that  deg(fti)  =  n,  for  n  =  1,2,3 
(mod  4).  That  is,  g  =  h(x i, . . . ,  xn)  +  h(x i, . . . ,  xn )  is  of  degree  n  —  1.  Let  1  h  = 
{(bn  +  1,  bi2  +  1, . . . ,  bin  +  1),  1  <  i  <  2”-1}.  Then  the  coefficient  of  the  monomial 
XiX2  •  •  ■  Xk- iXk+i  ■  ■  ■  xn  in  the  ANF  of  h  equals  (see  e.g.  [2,  9]) 


2"-1 

y  ]  bik 


n 

Y  |  jar]  wt(x)  =  j,  Xj  =  1  and  Xk  =  0}  | 


(mod  2). 


Case  1:  n  =  2  (mod  4),  n  >  3. 

Since  Y?i= x  bn  =  2"-2  -1  =  1  (mod  2)  (if  n  >  3)  and  X)Li  br!Z+ 1  =  2n_2  “ 
(rlf2)  =  0  (mod  2),  the  coefficient  of  the  monomial  xx  ■  ■  ■  x»  x»+2  ■  ■  ■  xn  in  the  ANF 
of  g  equals  1,  and  the  result  follows. 

Case  2:  n  =  1,  3  (mod  4). 
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Since  deg (h)  —  n  —  1  and  h  contains  the  monomial  X2X3  ■  ■  •  xn,  if  deg(<?)  <  n  —  1, 
then  h(xi, . . . ,  xn)  =  h(S^j  (x))  also  contains  X2X3  ■  ■  ■  xn,  and  thus  h(x\, ...,  xn) 
contains  the  monomial  x\  ■  ■  ■  X[^j+iX[«j+3  •  •  •  xn.  Since  ( n ,  [f  J  +  1)  =  1,  then  by 
Lemma  3.1,  the  ANF  of  h  contains  all  the  monomials  of  degree  n  —  1.  That  is, 


Y^i= 1  kj  =  1  (mod  2),  for  1  <  j  <  n.  However,  Xw=i  hn  =  2n  2  =  0  (mod  2), 


which  is  a  contradiction  and  the  result  follows. 


□ 


Lemma  3.3.  ///1,  /2  €  Bn  satisfy  the  strict  avalanche  criterion  and  /1+/2  is  a  bal¬ 
anced  function,  then  the  concatenation  f  =  /1H/2  also  satisfies  the  strict  avalanche 
criterion. 

Proof.  We  need  to  prove  that  /( x)  +  f(x  +  a)  is  balanced,  for  a  =  (au, . . . ,  a„+i), 
wt(a)  =  1  and  a*,  =  1,  where  1  <  k  <  n  +  1. 

Case  1:  a*,  =  1,  for  1  <  k  <  n.  That  is,  =  0. 

Since  f±  and  fi  satisfy  the  strict  avalanche  criterion,  we  have 


Xn  +  1=0 


where  a  =  (a\, . . . ,  an).  Hence,  f(x)  +  f{x  +  a)  is  balanced. 
Case  2:  an+i  =  1. 

Since  /1  +  is  balanced,  we  have 


Xn+l=l 


and  the  result  follows. 


□ 


Theorem  3.4.  The  function  hi  £  Bn+ 1  defined  by  (1)  satisfies  the  strict  avalanche 
criterion. 

Proof.  Since  h(x)  and  h{x)  satisfy  the  strict  avalanche  criterion,  by  Lemma  3.3,  we 
need  to  prove  that  h(x)  +  h(x)  is  balanced.  Clearly, 


n 


Similarly, 


n 


Hence,  |0ft+^|  =  |0^  D  0^|  +  |1^  n  1^|  =  2n  and  the  result  follows. 


□ 
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Remark  3.5.  From  the  proof  of  Theorem  3.4,  it  is  easy  to  see  that  h( x)  +  h(Si( x)) 
is  balanced,  for  1  <  i  <  n.  Then  by  Lemma  3.3,  h(x)\\h(Si(x))  also  satisfies  the 
strict  avalanche  criterion. 

Lemma  3.6  (Lemma  1  of  [28]).  Let  uj  =  (wi,...,w„),  wt(uj)  =  1  and  ujk  =  1. 
Then 

We  now  show  a  similar  result  for  our  constructed  function  hi. 

Lemma  3.7.  Let  uj  =  (wi, . . . ,  uin+ 1)  and  wt(ui )  =  1.  Then 

[  4 (((if)  for  n  even, 

Whl  (u|  1 4  +  ^  foj,  n  odd 

which  is  a  tight  bound. 


Proof.  Let  1  <  k  <  n  +  1  and  Uk  =  1-  Let  Q  =  (w i, . . . ,  uin). 
Case  1:  k  =  n  +  1. 

Since  h(x )  and  h(x)  are  both  balanced,  we  have 


whl(w)  =  y  (-i)/ii(x)+Xn+i 

xef2+1 

=  y  +  Y  (-i  f{x)+1  =  o. 

X^F^  X^F^ 

Case  2:  1  <  k  <  n. 

By  Lemma  3.6,  we  have 


whM  =  Y  (-1) 


If  n  is  even,  then 


h  1  ( x)-\-Ld-X 


(_l^h(x)+u-x  _|_  (_ l)ft( 

x^F*  xEF, 


x)-\-u)-x 


=  4 


n  —  2 
k-  1 


Whl(u)<  4( 

and  the  equality  can  be  achieved  when  k  =  n  or  ff.  If  n  is  odd,  then 


n  —  2 

fcffl  (n-  Lf J)  -  1 )’ 


n  —  2 

n- 2  I  > 

2 


W/uM  <  4  ^  n_i  ^  +  1^  , 

and  the  equality  can  be  achieved  when  k  =  ^±4,  and  the  result  follows. 
Lemma  3.8.  Let  2  <  k  <  n  and  wt{u)  =  k.  Then 


Whl{co)  < 


for  n  even, 
for  n  odd. 


□ 
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Proof.  Let  u>  =  (wi,  w2,  ■  ■  ■ ,  wn+i)  and  Wj  =  1  if  *  S  {si,  s2, . . . ,  s*,}.  Let  w  = 
(wi, . . .  ,wn).  We  have 

Whl(w)  =  51  (-l)hl(a)+"‘* 

xSFj+1 

_  y  '  _j_  y  '  ^_-^^fi(x)+D-x+un+i 

If  uin+ 1  =  0,  then  W^w)  =  Wh(u;)  +  W^(cD).  By  [28],  we  have 

dj  +  i 

n  55255 

W,(2)  =  2  5]  E^-Ci), 


1=1  j=i 

ie{si,s2,---,Sfc} 


and 


IW(D)  =  2 


E 


2=1 

ie{siffl[f  J ,Sfe  ES  L  } 


E^-co, 

3= 1 


where  d*  =  2[iy!LJ  +  1  and 


Ci  = 


Let 


n  —  k  +  V 
i-2j  +  1, 

{i  |  i fflf 

-J  G  {si,S2, .  •  .  , 

{si,  s2, . 

•  •  i  J-l 

{j<J 

|  *  e  a} 

\i  G  h)  ■ 

h  = 
h  = 
h  = 

h  = 


Then 

d^  +  1  di  + 1 

2  2 

w„»  =  2  55  55(c2-c!)+2  55  55(c2-co. 

ie/2u/4  j=i  ie/iU/3  i=i 

For  1  <  k  <  n  —  1 ,  let 

di  + 1 

Sk  =  max  | {  55  55(C!-C2)}|, 

ieTfc  j= 1 

where  2\  runs  over  all  ^-element  subsets  of  {1, 2, n}.  We  have  5*,  =  >Sn-fc  and 
decreases  at  first  and  then  increases.  Therefore,  |W/ll(w)|  achieves  the  maximum 
value  when  k  =  IL=-1  for  n  odd  and  k  =  for  n  even.  Then  we  have 


\Whl{u)\  < 


4(S^I) 


for  n  even, 


4  +  1^  for  n  odd. 

The  proof  for  the  case  ojn+ 1  =  1  is  similar,  and  the  result  follows. 
Lemma  3.9  (Lemma  3  of  [28]).  Let  wt(ui)  =  n.  Then  Wf t(cj)  =  0. 
Lemma  3.10.  Let  wt(oj)  =  n  +  1.  Then  Wh^{ w)  =  0. 


□ 
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Table  1.  Algebraic  immunity  and  nonlinearity  of  h  and  h\ 


n 

AI{h) 

AI{hi) 

nl(h) 

nKJi.i) 

6 

3 

3 

20 

24 

7 

3 

4 

44 

52 

8 

4 

4 

88 

106 

9 

4 

4 

186 

216 

10 

4 

5 

372 

440 

11 

5 

5 

772 

884 

12 

5 

6 

1544 

1794 

13 

5 

6 

3172 

3592 

14 

5 

6 

6344 

7266 

15 

6 

6 

12952 

14536 

Proof.  Let  uj  =  (ui i, . . . ,  un)  =  (1, . . . ,  1).  By  Lemma  3.9,  we  have 

WHi(uj)  =  (-l)Mx)+2’x  +  Y,  (-lf(x)+S'x+1  =0  +  0  =  0, 

and  the  result  follows.  □ 


Theorem  3.11.  For  the  function  hi  £  Bn+  \  defined  by  (1),  we  have 


nl{h\)  = 


2”  -  2(^Z|) 


2”  -  2 


(<v) 


for  n  even, 
for  n  odd. 


Proof.  By  Lemmas  3.7,  3.8  and  3.10,  we  have 


max  \Whl(u)\  = 


for  n  even, 
for  n  odd, 


and  the  result  follows. 

Theorem  3.12.  We  have 


AI(hi)  > 


+  1. 


□ 


Proof.  Since  h  and  h  are  affine  equivalent,  they  have  the  same  algebraic  immunity, 
which  is  >  [f  J  +  1  by  Theorem  4  of  [28].  Then  by  Proposition  1  of  [4],  AZ(hi)  > 
Lfj+L  □ 


It  seems  that  AX(hi)  >  AI(h)  and  in  some  cases  AI(hi)  >  AI(h),  which  can 
be  found  in  Table  1,  where  h ,  hi  £  Bn. 

Let  deg(<?i)  =  d  <  AX(hi)  and  hi  ■  gi  =  g2-  We  expect  that  deg(g2)  is  as  high 
as  possible  for  any  gi  of  low  degree.  The  optimum  case  for  a  Boolean  function  to 
resist  fast  algebraic  attacks  is  that  deg(gi)  +  deg(g2)  =  n  +  1  for  any  gi  of  degree 
deg(gi)  <  AX(hi).  Let  deg(g2)  =  e.  For  6  <  n  +  1  <  13,  in  Table  2,  we  give 
the  lowest  possible  values  of  (d,e).  Compared  with  the  HWBF,  in  most  cases,  the 
function  hi  has  a  better  behavior  against  fast  algebraic  attacks. 

To  resist  BDD-based  attacks,  a  Boolean  function  should  have  a  high  BDD  size. 
In  Table  3,  one  can  find  BDD  size  of  the  majority  function  maj ,  the  hidden  weighted 
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Table  2.  Behavior  of  the  function  hi  against  Fast  Algebraic  Attacks 


n 

6 

7 

8 

9 

10 

11 

12 

13 

(d,e) 

(1.4) 

(1,5) 

(1,6) 

(1,7) 

(1,8) 

(1,9) 

(1,10) 

(1,10) 

(2,3) 

(2,4) 

(2,5) 

(2,5) 

(2,7) 

(2,8) 

(2,9) 

(2,9) 

(3,4) 

(3,4) 

(3,4) 

(3,6) 

(3,6) 

(3,8) 

(3,8) 

(4,5) 

(4,5) 

(4,6) 

(4,7) 

(5,6) 

(5,6) 

Table  3.  BDD  size  of  maj ,  h  and  hi 


n 

B(maj) 

B{h) 

B(hi) 

6 

14 

25 

27 

7 

18 

40 

42 

8 

22 

57 

67 

9 

27 

85 

95 

10 

32 

121 

136 

11 

38 

172 

198 

12 

44 

240 

290 

13 

51 

335 

388 

14 

58 

459 

517 

15 

66 

630 

737 

16 

74 

856 

959 

bit  function  h  and  the  modified  function  h±,  with  the  standard  ordering  of  variables. 
Clearly,  as  a  symmetric  Boolean  function,  the  majority  function  has  a  very  small 
BDD  size.  Although  the  BDD  size  of  h  is  big,  the  BDD  size  of  the  modified  function 
hi  is  even  bigger  than  that  of  h. 


4.  Concatenation  of  four  functions 

Let  h  £  Bn  be  the  hidden  weighted  bit  function.  Let  h2  £  Bn+ 2  and  h2(x\ , . . . , 
xn+2)  =  h(a;)||h(5|_5j(a;))||h(5|_»j(a;))||h(5Lnj  +  L2j(a;)).  Clearly,  h2  is  a  balanced 
function. 

Lemma  4.1.  The  sum  of  the  two  halves  of  h2,  that  is,  h  =  (h(x)\\h(S^^(x)))  + 
(h(S,Lfj(a;))||h(S'Lij  +  Lfj(a:)))  is  balanced. 

Proof.  Clearly,  h  =  (h(x)  +  h(S'L?J  (a;)))|  |(fc(S,L»J  (x))  +  h(5LnJ  +  L„j  (a;))).  By  Re¬ 
mark  1,  h(x)  +  h(S^ aj  (x))  and  h{Sy^ j  (a;))  +  h(S,[aj_)_|_ aj  (a;))  are  balanced  functions, 
and  the  result  follows.  D 

By  Lemmas  3.3  and  4.1,  it  is  easy  to  see  that  h-2  satisfies  the  strict  avalanche 
criterion. 
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Lemma  4.2.  Let  uj  =  (cji,  . . .  ,u;n+2)  and  wt(uj)  =  1.  Then 


Wh2{a>)  <  4  max 


n—2 


n  —  2 


+ 


n  —  2 


i<k<n  ^  yfc  —  1/  EB  (n  —  |_i J )  —  1/  \fc  B3  (n  —  LfJ )  —  1 
Kkm(n-  L|J  -  LfJ)  - 1)}  ’ 

which  is  a  tight  bound. 

Proof.  Let  cD  =  (ui i, . . . ,  wn).  Consider  w*,  =  1  for  1  <  k  <  n  +  2. 

Case  1:  k  =  n  +  1  or  n  +  2. 

Since  h ,  h(Sy™ j),  h(Sy™ j)  and  /i(5[«j  +  |_^j)  are  all  balanced,  we  have 

Wh2  (W)  =  Y  (_l)M*)+»* 

xew™+2 

_  _|_  yy  ^ (*))+*»= 


x  GFg 

a;„+i=a:Il+2=0 


x„+i  +  l=a:„+2=0 
ft-lS'i"  j  (a:))+a:fc 


+  £  (-i) 

^n+l=^n  +  2  +  l=0 

+  ^  (_l)^'S'LfJ  +  Lfj(x))+*fc 


X„  +  i=X„+2  =  l 


=  0. 

Case  2:  1  <  k  <  n. 

By  Lemma  3.6,  we  have 

whM  =  y,  (-vh2{x)+u 


^  (-l)h(*)+“-x  +  ^  (-l)h(SU 


j  (x))+uj-X 

+  Y  ( _ 1)^^L5J  ix))+U'x  +  Y  (_l)'l(SLf  J  +  Lf  j(®))+2-® 


aiGF; 


=  4 


n—2 
k-  1 


xgF? 


n  —  2 


fcffl(n-LfJ)-!/  Vfc  ffl  (r?.  —  LfJ)  -  1 


n  —  2 


+4 

and  the  result  follows. 


n  —  2 

fcffl  (rr- LfJ  -  LfJ)  -  ’ 


□ 


Similarly,  as  for  hi,  one  can  find  some  other  cryptographic  properties  for  h2,  and 
we  gather  these  in  the  following  theorem,  whose  proof  we  omit. 

Theorem  4.3.  The  Boolean  function  h2  €  Bn+ 2  is  a  balanced  function,  it  satisfies 
the  strict  avalanche  criterion,  has  degree  deg(h2)  >  n  —  1,  AI{h2)  >  |_§ J  +  1  and 

n  —  2 


il(h2)  =  2n+1  -  2  max  If™  ^  +  ( 

1  <k<n  {  \k  -  1J  \ 


fcffl  (n-  LfJ)  -  1 


n—2 


n  —  2 


kS(n- LfJ)  -  17  Vfcffl(n-LfJ-LfJ)-! 
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Table  4.  Algebraic  immunity,  nonlinearity  and  BDD  size  of  h2 


n  +  2 

AI{h2) 

nl{h2) 

B(h2) 

10 

5 

448 

137 

11 

5 

896 

196 

12 

6 

1820 

280 

13 

6 

3658 

383 

14 

6 

7508 

571 

15 

7 

15018 

782 

Table  5.  Behavior  of  the  function  h2  against  Fast  Algebraic  Attacks 


Tl  -\-  2 

(d,  e) 

10 

(1,7) 

(2,6) 

(3,5) 

(4,5) 

u 

(1,9) 

(2,8) 

(3,7) 

(4,6) 

12 

(1,10) 

(2,9) 

(3,8) 

(4,7) 

(5,6) 

13 

(1,H) 

(2,10) 

(3,9) 

(4,8) 

(5,6) 

In  Table  4,  one  can  find  the  algebraic  immunity,  nonlinearity  and  BDD  size  of 
h2  £  Bn+ 2  for  10  <  n  +  2  <  15.  Clearly,  the  BDD  size  of  h2  is  better  than  that  of 
h ,  AX(h2)  >  AKh\)  and  the  nonlinearity  of  h2  is  much  higher  than  that  of  h  and 
h\.  In  Table  5,  one  can  find  the  behavior  of  the  function  h2  against  fast  algebraic 
attacks,  which  is  better  than  that  of  h ,  as  well. 

We  have  the  following  well-known  results. 

Proposition  4.4.  Let  pi{xi, . . . ,  *2)  £  Bi  be  balanced,  p2(xi+±, . . . ,  Xi+m)  £  Bm 
and  p  =  pi  +  P2  be  the  direct  sum  of  p±  and  p2.  Then  we  have 

1)  deg(p)  =  max{deg(pi),deg(p2)}- 

2)  AL(p)  >  max{AX(pi),  AT(p2)j. 

3)  nl(p )  =  2mnl(pi)  +  2 lnl(p2)  -  2nl{jpi)nl{p2) . 

Recall  that  the  fast  correlation  attack  has  an  on-line  complexity  proportional 
to  (7)  ,  where  e  =  \  ^ P-  is  the  so-called  bias  [20].  In  consideration  of  the 
implementation  efficiency,  we  compare  the  16-variable  Carlet-Feng  function  with 
the  256-variable  HWBF.  Let  fc  be  the  16-variable  Carlet-Feng  function  discussed 
by  [26],  h  =  h2 56  +  ^257^258  +  ^259^260  +  ^261^262  +  ^263^264  +  3^265^266  +  3^267^268  + 

^'269*^270 T^r 271  *^272 5  ^1  =  ^-l256^a;257a;258+a:259a:260+a:261^262+^263a;264+^265a;266  + 
^267^268  +  £269^270  +  ^271^272  and  h2  =  /l2256  +  ^257^258  +  ^259*260  +  ^261^262  + 
^263*264  +  ^265*266  +  *267*268  +  *269*270  +JC271*272-  Then,  the  bias  of  Jf  is  e  = 
0.0036,  while  by  Proposition  1,  the  bias  of  h  is  e  =  0.0001,  the  bias  of  hi  is  e  = 
0.00005  and  the  bias  of  h2  is  e  =  0.000025.  Clearly,  the  behavior  of  h  and  hi  against 
fast  correlation  attacks  is  better  than  that  of  /c,  and  h2  has  the  best  behavior  among 
all  of  them.  We  have  AL(fc)  =  8,  while  the  other  three  functions  have  algebraic 
immunities  at  least  86.  The  Carlet-Feng  function  also  has  an  exponential  BDD 
size.  However,  B(fc)  <  215,  and  it  is  much  smaller  than  the  BDD  sizes  of  the  other 
three  functions. 
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Example  4.5.  Let  h.  hi,  h2  £  B 12.  Then  they  are  all  balanced  and  satisfy  the  strict 
avalanche  criterion,  deg(h)  =  deg(hi)  =  deg(h2)  =  11;  AI(h)  =  5  and  AL{h\)  = 
AI{h2)  =  6;  nl(h)  =  1544,  nl(hi)  =  1794  and  nl{h2)  =  1820;  B(h)  =  240,  B(hi)  = 
290  and  B{h2)  =  280.  Comparing  it  with  h,  hi  has  a  better  behavior  and  h2  has 
the  best  behavior  against  fast  algebraic  attacks  (it  is  noticed  that  h2  £  Bi2  has 
the  optimum  algebraic  immunity  and  the  optimum  behavior  against  fast  algebraic 
attacks).  Clearly,  all  these  cryptographic  properties  of  hi  and  h2  are  better  than 
those  of  h. 


5.  Conclusion 

This  paper  modifies  the  HWBF  and  constructs  two  infinite  classes  of  functions 
with  very  good  cryptographic  properties  (better  than  those  of  the  HWBF).  To 
summarize,  the  new  functions  are  balanced,  have  almost  optimum  algebraic  degree 
and  satisfy  the  strict  avalanche  criterion.  Their  nonlinearity  is  higher  than  that  of 
the  HWBF.  We  investigate  their  algebraic  immunity,  BDD  size  and  their  resistance 
against  fast  algebraic  attacks,  which  seem  to  be  better  than  those  of  the  HWBF, 
too.  Since  the  new  functions  can  be  implemented  very  efficiently,  they  can  be  used 
with  a  large  number  of  variables,  which  allows  reaching  very  good  cryptographic 
properties.  The  new  functions  could  be  excellent  candidates  for  stream  ciphers 
constructions. 
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